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Abstract 



Buresh-Oppenheim proved that the NP search problem to find nontrivial factors of 
integers of a special form belongs to Papadimitriou's class PPA, and is probabilisti- 
cally reducible to a problem in PPP. In this paper, we use ideas from bounded arith- 
metic to extend these results to arbitrary integers. We show that general integer factor- 
^v^j . ing is reducible in randomized polynomial time to a PPA problem and to the problem 

J> 1 WeakPigeon E PPP. Both reductions can be derandomized under the assumption of 

the generalized Riemann hypothesis. We also show (unconditionally) that PPA contains 
some related problems, such as square root computation modulo n, and finding quadratic 



1 nonresidues modulo n. 

CN ■ 1 Introduction 

Integer factoring is one of the best-known problems in complexity theory which is in NP, 
but is not known to be polynomial-time computable. In particular, the assumed hardness 
of factoring has various applications in cryptography. Papadimitriou [13] introduced several 
classes of search problems based on parity arguments and related combinatorial principles. 
He showed that many natural search problems from diverse areas of mathematics belong to 
one of these classes, and he posed as an open problem whether the same holds for integer 
factoring. 

The first step to answer Papadimitriou's question was undertaken by Buresh-Oppen- 
heim [6]. He proved that factoring of "good" integers (odd integers n such that —1 is not 
a quadratic residue modulo n) such that n = 1 (4) belongs to the search class PPA, and 
factoring of good integers is probabilistically poly-time reducible to a PPP problem. (Note 
that an odd integer is good iff it has a prime divisor p = — 1 (4).) 

The purpose of this paper is to exhibit similar reductions for factoring of arbitrary integers. 
We show that factoring is probabilistically poly-time reducible to a PPA problem, as well as 
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to WeakPigeon, which is a PPP problem. (A similar probabilistic reduction of factoring 
to PPP was also independently found by Buresh-Oppenheim [5].) We isolate a convenient 
intermediate problem, which we call FacRoot: given integers n and a such that the Jacobi 
symbol (a\n) = 1, find either a proper divisor of n, or a square root of a modulo n. It is not 
hard to show that factoring is probabilistically poly-time reducible to FacRoot. 

The main technical ingredient of our work is to demonstrate that FacRoot 6 PPA. 
The high-level idea of the proof comes from bounded arithmetic. Jefabek [11] introduced an 
arithmetical theory S\ + Count2(PV) related to PPA, and established that this theory can 
prove the quadratic reciprocity theorem and other properties of the Jacobi symbol, which 
together imply the soundness of the usual poly-time algorithm for the Jacobi symbol. In 
particular, S% + Count2{PV) proves the totality of FacRoot, and then an application of 
a garden-variety witnessing theorem yields FacRoot G PPA. However, since this paper is 
intended for a general computational complexity audience, we include a self-contained direct 
proof of this result, we do not assume any prior knowledge (or posterior, for that matter) of 
bounded arithmetic on the part of the reader. 

All probabilistic reductions in this paper can be derandomized if we assume the generalized 
Riemann hypothesis (GRH). In particular, GRH implies that factoring is in PPA n PPP 
(and moreover, it is poly-time reducible to WeakPigeon). We also show unconditionally 
that several problems concerning quadratic residues have deterministic Turing reductions to 
FacRoot, and as such are in PPA: for one, given n and a, we can find either a square root 
of a modulo n, or a suitable witness that a is a quadratic nonresidue. For another, given an 
odd n which is not a perfect square, we can find an a such that (a\n) = —1 (in particular, a 
is a quadratic nonresidue modulo n). 

The paper is organized as follows. In Section 2, we review basic concepts used in the paper 
to fix the notation. Section 3 presents our main results, except for the somewhat complex 
proof of FacRoot G PPA, which is given separately in Section 4. Some concluding remarks 
follow in Section 5. 

2 Preliminaries 

An NP search problem is given by a poly-time computable relation R(x, y) such that R(x, y) 
implies ||y|| < ||x|| c for some constant c, the problem is to find a y satisfying R(x,y) given x. 
(We use ||x|| to denote the length of x; most of our algorithms work with integers, and we 
reserve \x\ for the absolute value of x. We also warn the reader that we will often call our 
binary integers n, we will not use the convention that n implicitly denotes the length of the 
input.) For brevity, we may use R to denote the search problem itself. A search problem R 
is total if for every x there exists a y such that R(x, y). Unless indicated otherwise, all search 
problems below will be assumed to be total NP search problems. 

We will often specify NP search problems in the form "given an x such that P(x), find 
a y satisfying R(x, y)" , where P is a poly-time condition. In order to make it formally a total 
search problem, this formulation will be understood to denote the problem associated with 
the relation (-iP(x) A y = 0) V (P(x) A R(x, y)). 
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A search problem R is many-one reducible to a search problem S, written as R < m S, 
if there are poly-time functions /, g such that S(f(x),y) implies R(x, g(x,y)). R is Turing- 
reducible to S, written as R <t S, if there exists a poly-time oracle Turing machine M (where 
the oracle returns strings rather than yes/no answers) such that on input x, M computes a y 
solving R(x, y) whenever all answers of the oracle are correct solutions of S. The class of all 
search problems R such that R <t S will be denoted FP 5 . If C is a class of search problems, 
we write R < m C if R < m S for some S G C, and similarly for R <t C, FP C , as well as other 
reduction notions mentioned below. 

Let a circuit C : 2 n — > 2 n (here, 2 = {0,1}) encode an undirected graph G = (V,E), 
where V = 2 n \ {0 n }, and {u,v} G E iff u, v G V, u ^ v , C(u) = v, and C(v) = u. Notice 
that G is a partial matching. Lonely is the following search problem: given C, find u G V 
unmatched by G. The class PPA (for "polynomial parity argument") consists of all search 
problems many-one reducible to Lonely. (This is not Papadimitriou's definition of PPA, it 
comes from [3], where it is shown to be equivalent to the original one.) By abuse of notation, 
we will also use Lonely to denote the following variant of the problem. Let f(a,x), g(a) be 
poly-time functions such that for every a, g(a) is an odd natural number, and the function 
f a {x) := f{a,x) is an involution (i.e., f a {fa{x)) = x) on the integer interval [0,g(a)). Then 
the problem is, given a to find an x < g(a) which is a fixpoint of f a (i.e., f a (x) = x). We will 
often use the fact that PPA is closed under Turing reductions: 

Theorem 2.1 (Buss and Johnson [8]) FP PPA = PPA. □ 

The class PPP (for "polynomial pigeonhole principle") consists of problems many-one 
reducible to Pigeon, which is the following problem: given a circuit C : 2 n — > 2 n , find either 
a pair u / v such that C(u) = C(v), or a u such that C(u) = n . If p(n) is any polynomial 
such that p(n) > n for every n, let WeakPigeon^™' denote the following problem: given 
a circuit C : 2 P ^ ->■ 2 n , find u ^ v such that C(u) = C(v). We define WeakPigeon := 
WeakPigeon|k + ; the choice of n + 1 here does not matter: 

Lemma 2.2 For any polynomial p as above, WeakPigeon = m WEAKPlGEON^n'"^ . 

Proof: Given a circuit C(x, u): 2 n x 2 — > 2 n , we put m = p(n) — n, and we construct a circuit 
D : 2 n x 2 m -> 2 n by D(x, u ,..., n m _i) = C(- ■ ■ (C(C(f), u ), «i) . . . , n m _i). Given (x, u) + 
(x',u') such that D(x,u) = D(x*,u ; ), we find the largest i < m such that (y,Ui) / (y",n^), 
where = C(---(C(C(fW),4 ,) ),nf ) )...,^ { _ 1 ). Then C(y, m) = Ctf, «{). □ 

The class of all search problems many-one reducible to WeakPigeon does not seem to have 
an established name in the literature, although it clearly deserves one. In analogy with PPP, 
we can call it PWPP for "polynomial weak pigeonhole principle". Note that neither PPP 
nor PWPP is known to be closed under Turing reductions. The proof of Lemma 2.2 also 
implies that problems of the following kind belong to PWPP; we will denote them all as 
WeakPigeon by abuse of notation. Let e > be a constant, and /, g poly-time function 
such that for any a, g(a) > 0, and f a (x) := f{a,x) maps the interval [0, [(1 + e)g(a)~\) into 
[0,g(a)) . Then the problem is, given a, to find u < v < \(l + e)g(a)~\ such that f a (u) = f a (v). 
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Apart from < m and <t, we will also need randomized reductions. We will use several dif- 
ferent versions to be able to state our results precisely; the definitions below are not standard, 
but we believe they are quite natural. 

For any constant < e < 1, we say that R is probabilistically many-one reducible to S 
with error e, written as R < m ' £ S, if there is a polynomial p and poly-time functions f(x, r) 
and g(x, r, y) such that for every x, 

Pr M=p{M) [Vy [S(f(x, r),y)=> R(x, g(x, r, y))]] > 1 - e. 

We say that R is probabilistically many-one reducible to S with controlled error, written 
as R <* p S, if there is a polynomial p and poly-time functions f(x, l k ,r) and g(x, l k ,r,y) 
such that for every x and k, 

Pr |k ||= P (|N|, fe ) [Vy [S(f(x, l\r),y)^ R(x, g(x, l k ,r, y))}} > 1 - T k . 

R is probabilistically Turing-reducible to S, written as R < pp S, if there exists a polynomial p 
and a poly-time oracle Turing machine M such that 

Pr|| r ||=p(||a;||) [every sound run of M(x,r) solves R(x,y)] > 1/2, 

where a run is sound if all oracle answers are correct solutions of S. Note that the constant 1/2 
here is arbitrary, as we can decrease the error from any constant e > to any other constant 
(or to controlled error as above) in the usual way: we can check solutions of R, hence we 
can run the machine several times with independent choices of r, and return the first correct 
solution to the search problem. We denote by TFRP 5 the class of all R such that R < pp S. 
We observe that we can split a randomized Turing reduction as a randomized many-one 
reduction followed by a deterministic Turing reduction; this is particularly useful when S is 
from a Turing-closed class such as PPA. 

Lemma 2.3 TFRP S < pp FP 5 . 

Proof: Let T be the following search problem: given x and r, find a sound run of M s (x,r). 
It is easy to see that T is a total NP search problem, and R < pp T <t S. □ 

Lemma 2.4 TFRP TFRpS = TFRP S . 

Proof: In view of Lemma 2.3 and the obvious transitivity of < pp , it suffices to show that 
TFRP S is closed under deterministic Turing reductions. Let thus T G TFRP 5 , and M T be a 
poly-time oracle machine solving R(x, y). Since answers of the oracle have polynomial length, 
the total number of sound runs of M on input x is bounded by for some constant c. 

Using the above-mentioned amplification of success rate, we can find a randomized poly-time 
machine N s solving T with error 2~H :E II C+1 . If we then use N to answer M's oracle queries while 
reusing the same pool of random bits for every call, all but a fraction of 2H a; ll c 2~ll :E ll c+1 <C 1 of 
the random choices will be good for every possible run of the combined machine. □ 
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A many-one reduction of R to S is supposed to construct a valid instance of S from whose 
solution it can recover a solution to the original problem. In the case of < pp , the reduction 
algorithm succeeds in doing this only with some bounded probability. It will be also useful to 
consider stronger notions of reduction where we can check before consulting the oracle whether 
the particular choice of random bits leads to the desired result. The reduction function may 
abandon the computation with some bounded probability, but if it does not, then any valid 
solution of S gives a solution of R. Alternatively, we could repeat the computation until we 
find a "good" instance of S, and only then pass the query to the oracle; in this way, the 
reduction always succeeds, but only its expected running time is polynomial. 

Formally, R is probabilistically zero-error many-one reducible to S, written as R <^ pp S, 
if there is a polynomial p, poly-time functions f(x, r) and g(x, r, y), and a poly-time predicate 
h(x, r), such that 

(i) Pr i | r j| =p( || ;c j| ) [/ i (x,r)] > 1/2, 

(ii) if h(x,r) and S(f(x,r),y), then R(x, g(x,r,y)). 

Similarly, R is probabilistically zero-error Turing-reducible to S, written as R <f. pp S, if there 
is a polynomial p, a poly-time predicate h(x,r), and a poly-time oracle Turing machine M, 
such that (i), and if h(x,r), then every sound run of M s (x,r) solves R(x,y). Again, the 
constant 1/2 is arbitrary, we can amplify the success rate from any constant e > to 1 — 2~ k 
(even for many-one reductions). Let TFZPP 5 denote the class of all problems R such that 
R <| pp S. Note that if there is no oracle, TFZPP = TFRP. 

Factoring is the following search problem: given a composite integer n, find a nontrivial 
divisor of n. We define FullFac to be the following problem: given an integer n > 0, find 
a sequence {pi : i < k) of primes such that n = Y\^^Pi (here and below, the empty product 
is defined to be 1). Note that Factoring and FullFac are total NP search problems as 
primality testing is poly-time (Agrawal, Kayal, and Saxena [1]). Clearly, Factoring < m 
FullFac <t Factoring. 

We will denote the divisibility relation by d \ n, modular congruences by a = b (n), and 
greatest common divisors by (a, b). An integer a is a quadratic residue modulo n if a = b 2 
(n) for some b. The Legendre symbol is defined for any integer a and an odd prime p by 

p | a, 

1 p \ a and a is a quadratic residue mod p, 
— 1 p \ a and a is a quadratic nonresidue mod p. 

More generally, the Jacobi symbol is defined for any odd n > by 




where n = Y\i<kPi ls ^ ne P rmi e factorization of n. We will also write (a\n) instead of (^) for 
typographical convenience. A Dirichlet character of modulus n is a group homomorphism 
X- (Z/nZ)* — > C*. A character is principal if it only assumes the value 1, and real if it takes 
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r ^— 1 

while a / do: 
if a < then: 

a < a 

r i r if n = — 1 (4) 

while a is even do: 
a «- a/2 

r <- -r if n = ±3 (8) 
swap a and n 

r i r if a = n = — 1 (4) 

reduce a modulo n so that \a\ < n/2 
if n > 1 then output else output r 



Figure 1: An algorithm for the Jacobi symbol (a\n) 



values in {1,-1}. Characters can be lifted to mappings Z — > C by putting %(a) = when 
(a, n) / 1. Note that for any odd positive n, Xn{x) = (x\n) is a real character of modulus n 
(in particular, (a|n)(6|n) = (ab\n)), and it is principal iff n is a perfect square. The characters 
Xn are called quadratic. The quadratic reciprocity theorem states that for any coprime odd 
n, m > 0, 

— 1 if n = m = — 1 (4) 
1 otherwise. 
Together with the supplementary laws 

/— 1\ _ fl n = l (4) /2\ _ fl n = ±l (8) 

V™/ \-l n=-l (4) W \-l n = ±3 (8) 

it implies that the Jacobi symbol is poly-time computable (see Figure 1). 

The generalized Riemann hypothesis 1 {GRH) states that for every Dirichlet character 
all zeros of its associated L-function L(x,s) with < Re(s) < 1 have in fact Re(s) = 1/2. 
Let GRH q denote the the special case of GRH for quadratic characters x- We will use the 
following result of Bach [2]. 

Theorem 2.5 Assume GRH q . If x ^ a nonprincipal quadratic character with modulus n, 
there exists < a < 2 (Inn) 2 such that x(a) 7^ 1. □ 

1 Also called the extended Riemann hypothesis (ERH). The nomenclature of various extensions of RH 
varies wildly in the literature. We chose to denote the RH for Dirichlet L-functions by GRH as this name 
seems to be more specific, whereas ERH is often used for other generalizations of RH, such as the RH for 
Dedekind ("-functions, or L-functions of Hecke characters. 
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3 Search complexity of factoring 



In this section, we are going to describe our main result (Theorem 3.7) on the relation- 
ship of factoring to the classes PPA and PPP (PWPP). Rather than working directly with 
Factoring, it will be convenient to consider other related problems. 

Definition 3.1 Let FacRoot denote the following problem: given an odd integer n > and 
an integer a such that (a\n) = 1, find either a nontrivial divisor of n, or a square root of a 
modulo n. 

We also give names to some special cases of FacRoot. FacRootMul denotes the prob- 
lem, given odd n > and integers a and b, to find a nontrivial divisor of n or a square root 
of one of a, b, or ab modulo n. 

WeakFacRoot is the following problem: given an odd n > and a, b such that (o|n) = 1 
and (b\n) = — 1, find a nontrivial divisor of n, or a square root of a modulo n. 

We start with basic dependencies between these problems. 
Lemma 3.2 

(i) WeakFacRoot < m FacRootMul < m FacRoot, 

(ii) WeakFacRoot < m Factoring. 

Proof: (i): WeakFacRoot is a special case of FacRootMul, since (a\n) = 1 and (b\n) = 
— 1 imply that neither b nor ab is a quadratic residue modulo n. Given an instance of 
FacRootMul, the multiplicativity of the Jacobi symbol implies that {x\n) = 1 for some 
x G {a, b, ab}. We can choose such an x as the Jacobi symbol is poly-time computable, and 
then we pass it to FacRoot. 

(ii): If n is prime, we can compute a square root of a modulo n in polynomial time 
using the Shanks-Tonelli algorithm. This algorithm is deterministic if we provide it with a 
quadratic nonresidue, which we can: b. If n is composite, we pass it to Factoring. □ 

Lemma 3.3 

(i) FacRoot <^ p WeakFacRoot, 

RP 1 /2 

(ii) Factoring < m ' ' FacRoot, 

(Hi) Factoring ^f' 1 ^ 2 WeakFacRoot. 

Proof: (i): If n is a perfect square, we can return ^Jn as its nontrivial divisor (unless it is 1, 
in which case we can return as the square root of a). Otherwise Xn is a nonprincipal real 
character, hence with probability at least 1/2, a randomly chosen < b < n either shares a 
factor with n (in which case we can return (n, b) as a nontrivial divisor) or satisfies (b\n) = — 1, 
and we can pass it to WeakFacRoot. 

(ii): If n is even or a perfect power, we can factor it directly, hence we may assume n is 
odd and it has k > 2 distinct prime divisors. We consider the following reduction. We choose 
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a random < a < n. If (a, n) / 1, we can return it as a nontrivial divisor of n, otherwise we 
pass n, a to a FacRoot oracle. 

Since Xn is a nonprincipal real character, we have (a\n) = 1 for a half of all residues 
from (Z/nZ)*. On the other hand, if n = Y\ i<k p^\ where the pi are distinct primes, then a 
coprime to n is a quadratic residue modulo n iff (a\pi) = 1 for every i < k. Using the Chinese 
remainder theorem, a fraction 2~ k of (Z/roZ)* are quadratic residues. Thus, with probability 
at least 1/2 — 2~ k > 1/4, the chosen a either shares a factor with n, or it satisfies (a|n) = 1 
while not being a quadratic residue, hence the FacRoot oracle must give us a factor of n. 

We can amplify the success probability to 1/2 by observing that residues a such that 
(a\n) = 1 are poly-time samplable. We assume w.l.o.g. that n is not a perfect square. The 
reduction works as follows. We choose random < a, b < n. If (n, a) / 1 or (n, b) / 1, we 
can factorize n. Otherwise, we let c be the first residue from the list a, b, ab which satisfies 
(c|n) = 1, and we call FacRoot(ti, c). It is easy to see that the induced distribution of c is 
the uniform distribution over {c < n : (c|n) = 1}, hence conditioned on (a, n) = (b,n) = 1, 
c is a quadratic nonresidue with probability 1 — 2 1 ~ k > 1/2. 

(iii): FacRoot < pp WeakFacRoot by (i) and amplification of the success rate of <„ pp , 

R,P 1/2-hs 

hence Factoring < m ' ' WeakFacRoot for any e > by (ii). We can get rid of the e by 
observing that the proof of (ii) actually shows Factoring < PP ' 1 / 2_1 ^ v/ ™ FacRoot, taking 
into account residues that share a factor with n. We can reduce the error of the <„ pp 
reduction in (i) to l/^/n, hence Factoring <m P '^ 2 WeakFacRoot. □ 

We remark that there is another well-known randomized reduction of factoring to square 
root computation modulo n by Rabin [14]. Adapted to our situation, the basic idea is that 
we choose a random 1 < a < n, and if coprime to n, we pass n, a 2 to the FacRoot oracle. 
If the oracle were implemented as a (deterministic or randomized) algorithm, we would have 
a 1/2 chance that the root b of a 2 returned by the oracle satisfies a ^ ±b (n), allowing us to 
factor n. However, this does not work in general. According to the definition of search problem 
reduction, the reduction function must be able to cope with any valid answer to the oracle 
query, there is no implied guarantee that the oracle answers are computed independently of 
the environment. In particular, we may assume the oracle is devious enough to always return 
the root b = a we already know. 

What we need now is to show that FacRoot or some of its variants belongs to PPA and 
PWPP. 

Theorem 3.4 FacRoot G PPA. 

We will prove Theorem 3.4 in the next section, as the argument is a bit involved. 

For the pigeonhole principle, we have the following reduction, whose idea comes from the 
proof of the multiplicativity of the Legendre symbol in /Ao + WPHP(Aq) by Berarducci and 
Intrigila [4]. 

Theorem 3.5 FacRootMul G PWPP. 

Proof: Assume we are given an odd n > 1, and integers a, b. If a or 6 shares a factor with n, we 
can return (n, a) or (n, 6), resp., as a nontrivial divisor of n, we thus assume both are coprime 
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to n. Consider the following poly-time function / : {0, 1, 2} x [1, (n — l)/2] — > [1, n — 1]: 



where ao = 1, ai = a, 02 = 6. Since the domain of / is 3/2 times larger than its range, we 
can use WeakPigeon to find a collision f(i,x) = f(j,y), (i,x) 7= (j,y)- We may assume 
(n, x) = (n, y) = 1, as otherwise we can factor n. If i = j, then x 2 = y 2 (n), but x ^ ±y (n), 
hence (n,x — y) is a nontrivial divisor of n. If i < j, then aja^ 1 = (xy~ 1 ) 2 (n) (where the 
inverses are also modulo n), hence xy _1 is a square root of a, b, or 6a _1 modulo n. In the 
last case, axy" 1 is a square root of ab. □ 

We mention that essentially the same reduction of Factoring to WeakPigeon by means 
of FacRootMul was used in a different context in [10, Thms. 4.1-2], and a similar reduction 
was independently discovered by Buresh-Oppenheim [5]. 

While we do not know whether PWPP is closed under general Turing reductions, the next 
lemma shows that it is closed under nonadaptive Turing reductions. 

Lemma 3.6 The following problem, denoted WeakPigeon", is in PWPP: given a sequence 
(Cj : i < m) of circuits Cj: 2 ni+1 — > 2 n % find sequences (uj : i < m) and (vi : i < m) such 
that Ui,Vi £ 2 n % Ui 7^ Vi, and Cj(uj) = Ci{vi) for each i < m. 

Proof: Put n = maxj n, L . We can pad each Cj to n output bits by considering the circuit 
C[: 2 n ~ ni x 2™ l+1 ->■ 2 ra_ni x 2™ 1 defined by C-(x,n) = (x, Cj(u)), hence we may assume 
n = ni without loss of generality. By Lemma 2.2, we can amplify each Cj to a circuit 

D .. 2 mn+l _^ 2 n and wg define ft drcuit q. 2 mn+l _^ ( 2 n ) m by D{u) = : « < m). 

Using a call to WeakPigeon, we find m/b such that D(«) = -D(-u). Then Di(u) = Di(v) 
for each i, and we can compute Uj 7^ f« such that Cj(tij) = Cj(vj). □ 

We obtain the main result of this paper by putting everything together: 

Theorem 3.7 

(i) Factoring, FullFac <^ p PPA, 

(ii) Factoring <^ p PWPP c PPP and FullFac < pp FP PWPP c FP ppp . 

Proof: (i): FullFac is in tFRP FacRoot by Lemmas 3.3 and 2.4, hence in TFRP PPA by The- 
orem 3.4. This implies FullFac < pp FP ppa = PPA by Lemma 2.3 and Theorem 2.1. 

R,P 1/2 

(ii): We have Factoring < m ' PWPP by Lemma 3.3 and Theorem 3.5. Given k 
in unary, we can reduce the error to 2~ k with k parallel calls to a WeakPigeon oracle, 
which implies Factoring < pp WeakPigeon" <E PWPP by Lemma 3.6. As in (i), we have 
FullFac <^ p PWPP, hence FullFac < pp FP pwpp by Lemma 2.3. □ 

It would be desirable to derandomize the results in Theorem 3.7. We are only able to do it 
under an extra assumption. 
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Theorem 3.8 A ssuine GRHq . 

(i) Factoring = m FacRoot = m WeakFacRoot = m FacRootMul, 

(ii) Factoring, FullFac g PPA, 

(Hi) Factoring g PWPP, FullFac g fp pwpp . 

Proof: It suffices to derandomize the reductions in Lemma 3.3 (i,ii). For FacRoot < m 
WeakFacRoot, note that Theorem 2.5 guarantees that we can find a suitable b < 2(lnn) 2 = 

o(N| 2 ). 

For Factoring < m FacRoot, it suffices to show that for any odd n which is not a prime 
power, there exists an < a < (Inn) * 1 ) such that either (a,n) > 1, or (a\n) = 1 and a is a 
quadratic nonresidue modulo n; the latter means that (a\p) = — 1 for some prime p \ n. 

We can assume that (a,n) = 1 for every < a < 2(lnn) 2 , otherwise we are done. Let 
p be a prime divisor of n such that, if possible, the exponent of p in the prime factorization 
of n is even, so that n/p is not a perfect square. Then Xn/p i s a nonprincipal quadratic 
character, and there is < u < 2 (In (n/p)) 2 such that (u\n/p) = — 1 by Theorem 2.5. This 
implies (u\n) = —(u\p). If (u\n) = 1, we can take a = u. Otherwise, we have (u\n) = —1 and 
(u\p) = 1. Since Xp is also a nonprincipal quadratic character, there is < v < 2(lnp) 2 such 
that (v\p) = —1. If (v\n) = 1, we can take a = v, otherwise we take a = uv. Either way, 
a < 4(lnp) 2 (ln(n/p)) 2 < i(lnn) 4 . □ 

We can use FacRoot with constant a to obtain special cases of factoring that are uncon- 
ditionally in deterministic PPA, see Example 4.6. In fact, we can factor n as long as there 
exists a quadratic nonresidue a = (logn) ^ 1 ) such that (a\n) = 1. We can express this more 
perspicuously as follows. 

Definition 3.9 Let s > 0. An integer n is s-strongly composite, if we can write n = uqUi so 
that neither no nor n\ is a quadratic residue modulo s. 

Notice that an odd integer is 4good in the sense of [6] iff it is 4-strongly composite. 

Theorem 3.10 For any constant c, the following problem is in PPA: given an n > which 
is s-strongly composite for s = [(logn) c J! ; find a nontrivial divisor of n. 

Proof: We can assume w.l.o.g. that n is coprime to [(logn) c J! (hence odd). It suffices to 
show that there exists an a with |o| < (logn) 2c such that (a\no) = (a\n\) = —1. Since n^ is a 
quadratic nonresidue modulo s, it is also a quadratic nonresidue modulo Sj, where Sj = 8, or 
Si is an odd prime divisor of s, i.e., Si < (logn) c . 

Assume first that both no,ni are quadratic nonresidues modulo so. If sq is odd, we put 
a = Sq := (— l)( So-1 )/ 2 so. Then (a\ni) = (nj|so) = —1 by quadratic reciprocity. If so = 8, i.e., 
no, n\ 1 (8), we choose m G {3, 5, 7} such that m ^ no, n\ (8), and we put 



-2 


m 


= 3, 


-1 


m 


= 5, 


2 


m 


= 7. 
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Then (a\no) = (a\ni) = — 1. 

If both no,ni are quadratic nonresidues modulo s±, we proceed similarly. 
Assume that rii is a quadratic residue modulo for i = 0, 1. Put 




Si is odd, 
1 8i = S,m = S,7 (8), 
Si = 8,nj = 5 (8), 



= < 



2 



and a = aoai. Then (aj|nj) 



1 and (ai-i\rii) = 1, hence (a|nj) = — 1. 



□ 



Conversely, one can show that if a is a quadratic nonresidue such that (a\n) = 1, then n is 
s-strongly composite for any s divisible by 4a. 

In Theorem 3.10, we do not need s to have the exact form given there: it is only essential 
that the prime factorization of s is known. 

It is not clear whether one can fully unconditionally derandomize Theorem 3.7. While 
no deterministic polynomial-time algorithm to find quadratic nonresidues is known without 
GRH, in PPA we can do better: 

Lemma 3.11 The following problem is in FP FAcRoOT C PPA: given an odd n > 1, find an a 
such that (a\n) = —1, or a nontrivial divisor of n. 

Proof: Consider the following algorithm. Put a = —1. While (a|n) = 1, repeat the following 
steps: call the FacRoot oracle, if it provides a factor of n, we are done, otherwise we replace 
a with its square root modulo n. 

The algorithm must halt within log 2 n iterations: if a is a 2 fe th root of —1, its order in 



Notice that, conversely, FacRoot is Turing-reducible to WeakFacRoot together with the 
problem from Lemma 3.11. 

In fact, FacRoot does the dual job of factoring and computing square roots. In Theo- 
rem 3.7 we have exploited its factoring capacity by supplying it with quadratic nonresidues, 
but we can also use it the other way round to obtain algorithms for finding square roots and 
quadratic nonresidues modulo arbitrary integers. We start with the latter. 

Theorem 3.12 The following problem is in fp FacRoot c PPA: given an odd n which is not 
a perfect square, find an a such that (a\n) = —1. 

Proof: The algorithm maintains a sequence {rii : i < k) of integers rii > 1 such that n = 
Y\i <k n,i, and a sequence (a« : i < k), where some of the may be undefined, but if a« is 
defined, then (aj|nj) = —1. We initialize it with k = 1, no = n, ao undefined, and we repeat 
in arbitrary order the following steps until neither is applicable any more: 

• If rii 7^ n-j are such that (ni,rij) > 1, we delete rii, Uj from the sequence and replace 
them with (rii,nj) (two copies), riij (rii,rij), and nj/(rii,rij), omitting those equal to 1 
(this can happen only for one of the four numbers, hence the length of the sequence 
always increases). The ai entries corresponding to the new numbers are undefined. 



(Z/nZ)* is 2 k+l < n. 



□ 
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• If en is undefined, we call as an oracle the search problem from Lemma 3.11 on rij. If 
it returns a nontrivial divisor of rii, we expand the rij sequence as in the previous step. 
Otherwise, it provides a value for ctj. 

Since k < logn, the algorithm must halt in 0(||n||) steps. When it does, all a« are defined, 
and the nj entries are pairwise equal or coprime, hence we can write n = Y\ ieI for some 
I ^ {0, . . . , k — 1} and > 0, where n^, i £ I, are pairwise coprime. Since n is not a perfect 
square, we can pick i £ / such that ei is odd. By the Chinese remainder theorem, we can 
compute an a such that a = a\ (n?*) and a = 1 (n/nf). Then 



Corollary 3.13 The following problem is in 

pptAGHooT Q ppA; giyen n > 2> find an a 
coprime to n which is a quadratic nonresidue modulo n. 

Proof: If n is a power of 2, we can return 3. Otherwise, we can write n = 2 e m , where m 
is odd and not a perfect square. By Theorem 3.12, we can find a such that (a\m) = —1. By 
adding m to a if necessary, we can make sure a is odd, hence (n, a) = 1. Since a is a quadratic 
nonresidue modulo m | n, it is also a nonresidue modulo n. □ 

Another problem we are going to reduce to FacRoot is the computation of square roots 
modulo n. A priori it is not clear how to formulate it as a total NP search problem, as the 
quadratic residuosity problem is neither known nor assumed to be poly-time decidable. We 
can remedy this by requiring the search problem to find something sensible also for quadratic 
nonresidues. 

Definition 3.14 Let n be a positive integer. If (a, n) = 1, a divisor m \ n is a coprime 
nonsquare witness for a modulo n if 

• m is odd and (^-) = —1, or 

• m = 4 and a = 3 (4) , or 

• m = 8 and a = 5 (8). 

If a is an arbitrary integer, an m is a nonsquare witness for a modulo n, if m is not a perfect 
square, m is odd or 2, and there are e, 6, and j < e such that m e | n, a = m^b, (m, b) = 1, and 
if j is even, m (if odd) or 4 or 8 (if m = 2) is a coprime nonsquare witness for 6 modulo m 6- - 7 . 

It is easy to see that the property of being a nonsquare witness is poly-time decidable. 

Let Root denote the following search problem: given n > and a, find either a square 
root of a modulo n, or a nonsquare witness for a modulo n. 

Lemma 3.15 // there exists a nonsquare witness for a modulo n, then a is a quadratic 
nonresidue modulo n. 
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Proof: If m is a coprime nonsquare witness for a, then a is a quadratic nonresidue modulo m, 
and a fortiori modulo n. 

Let m be a nonsquare witness for a, and let e, 6, and j be as in Definition 3.14. Assume 
for contradiction a = (uc) 2 (n), where (m, c) = 1, and u \ m k for some k. We have m? \ (uc) 2 , 
hence m? \ u 2 . Moreover, if we write u 2 = m>v, then b = vc 2 (m e ~ J ), hence (m,v) = 1, i.e., 
v = 1 and m J = u 2 . Since m is not a perfect square, this implies j is even. However, b = c 2 
(m e ~- J ) contradicts the fact that b has a coprime nonsquare witness modulo m e ~ J ' . □ 

Notice that Root is a generalization of FacRoot: a nonsquare witness for a modulo n is a 
nontrivial divisor of n, unless n is odd and (a\n) = —1. 

Theorem 3.16 Root G fP FacRoot C PPA. 

Proof: Write n = 2 e m with rn odd. In the first stage of our algorithm, we keep a sequence 
(iii : i < k) of integers nj > 1 such that m = Y\i<k n *' anc ^ a sequence of integers (ui : i < k) 
where some Ui may be undefined. We maintain the property that whenever ui is defined, we 
can write a = nfai for some ji so that (ai,rii) = 1, and we have ai = uf (rij). We start 
with k = 1, no = m and uq undefined, and we repeat the following steps until none of them 
applicable any more: 

• If rii rij are such that (rij, rij) > 1, we delete rii, rij from the sequence and replace them 
with two copies of (rii, nj), rii/ (rii, rij), and rij/ (rii, rij) as in the proof of Theorem 3.12. 

• If rii is a perfect square, we replace rii with two copies of yjni. 

• If a = nfat where rii f a-i, but (rii,ai) > 1, we replace rii with (rii, ai) and rii /(rii, ai)- 

• If a = nfai where (ai\rii) = 1, but n« is undefined, we call a FacRoot oracle on rii, ai. 
If it returns a nontrivial divisor d | nj, we replace rii with d and rii/d. Otherwise, it 
returns a square root of a>i modulo rii, which we store as Ui. 

This stage terminates after 0(||n||) steps. When it does, we can write m = ILe/™? ^ or some 
ej > 0, / C {0, . . . , k — 1}, where rii, i £ I, are pairwise coprime, none of them is a perfect 
square, and we have a = nfai for some ji and (aj,nj) = 1. For each i, we try to compute a 
square root Zi of a modulo ri// as follows: 

• If ji > ej, we put Zj = 0. 

• If jj < ej, and jj is odd or (aj|nj) = — 1, we return nj as a nonsquare witness for a. 

• If ji < ej is even and (ajjnj) = 1, then m is defined, and u 2 = ai (rii). We put 
Zi = n^ 2 Vi, where v 2 = ai (n^ 1 ) is computed using Hensel's lifting, which is an iteration 
of the following procedure: if we have u such that u 2 = ai (nf), we compute w = (2u) _1 
(nf), and we put vl = (u 2 + ai)w. Then u' 2 = ai (n 2c ). 

We also try to find a square root z of a modulo 2 e . We write a = 2 J 6 with b odd, and then: 

• If J > e, we put z = 0. 
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• If j < e, we return 2 as a nonsquare witness for a whenever one of the following cases 
happens: j is odd, or e — j > 2 and 6 = 3 (4), or e — j > 3 and b = 5 (8). 

• Otherwise, j < e is even, and l 2 = b (2 min { e- -?' 3 }). We put z = 2 J / 2 f, where v 2 = b 
(2 e_J ); if e— j > 3, we compute v using the following variant of Hensel's lifting. If we have 
u such that u 2 = b (2 C ), we compute w = u^ 1 (2 C ~ 2 ), and we put u' = ((u 2 + b)/2)w. 
Then u' 2 = b (2 2c - 2 ). 

Finally, using the Chinese remainder theorem, we compute x such that x = z (2 e ) and x = z% 
(n^) for every i, then x 2 = a (n). □ 

4 FacRoot is in PPA 

The purpose of this section is to prove Theorem 3.4. As already mentioned in the introduction, 
the original idea of the proof comes from previous work of the author on the provability of 
the quadratic reciprocity theorem in variants of bounded arithmetic, and in fact, FacRoot G 
PPA is a simple corollary of these results. This connection is described in detail in Section 4.1. 
In order to make this paper more self-contained, we give a direct combinatorial proof of 
Theorem 3.4 in Section 4.2. Readers uncomfortable with bounded arithmetic may safely skip 
straight there. 

4.1 Bounded arithmetic 

We assume familiarity with basic facts about subsystems of bounded arithmetic, in particular 
Buss' theory S%. We refer the reader to [7, 12] for more background. 

Jefabek [11] introduced a theory 5^ + Count2(PV), axiomatized over by the following 
principle: for every number a and circuit C, C does not define an involution on {0, . . . , 2a} 
without fixpoints. Notice that the axiom is T,\, and the corresponding search problem is a 
minor variant of Lonely. 

Lemma 4.1 If S\ + Count2{PV) h Vx3y ip(x,y), where ip G T,\, then the search problem to 
find a y satisfying (p(x,y) given x is in PPA. 

Proof: By the assumption, S 1 ^ proves 

3a,CVu< 2a{C{C{u)) = u^C{u) < 2a) V 3y <p(x, y), 

hence S\{h) proves its Herbrandization 

3a, C (h(a, C) < 2a -»• C(C(h(a, C))) = h(a, C) + C(h(a, C)) < 2a) V 3y <p(x, y). 

This is an 3T>\(h) formula, hence using Parikh's theorem and Buss' witnessing theorem, there 
exists a polynomial-time oracle function f h such that 

(*) 3a, C (h(a, C) < 2a -»• C(C(h(a, C))) = h(a, C) / C(h(a, C)) < 2a) V ip(x, f h (x)) 



14 



holds in N for any choice of h. Let us run / on an input x with an oracle solving the PPA- 
problem corresponding to Count2 in place of h, and let y be its output. We may assume that 
/ never asks the same question more than once, hence the oracle answers in any particular 
run can be extended to a function h which satisfies 

h(a, C) < 2a A {C(C{h(a, C))) / h(a, C) V h(a, C) = C(h(a, C)) V C(h(a, C)) > 2a). 

Then (*) implies (p(x,y). Thus, the search problem associated to ip is in 

ppPPA = ppA 

using 

Theorem 2.1. □ 

Let J(a,n) denote a P^-function formalizing the algorithm in Figure 1. As shown in [11], 
^2 + Count2{PV) proves that J (a, n) agrees with the definition of the Jacobi symbol in terms 
of factorization of re and quadratic residues. In particular, the theory proves that for prime re, 
J {a, n) = 1 implies that a is a quadratic residue, which can be expressed as the following T,\ 
formula: 

Theorem 4.2 (Jefabek [11]) S\ + Count 2 (PV) proves 

J(a, n) = 1 — > 3x (x 2 = a (re)) V 3u, v < n (to = n). □ 
Theorem 3.4 readily follows. 

4.2 Explicit algorithm 

Before turning to FacRoot proper, we will describe PPA algorithms for some of its special 
cases which we will need as ingredients in the main construction. 

We introduce some notation for conciseness. If re is a fixed odd integer n > 1, we consider 

N = {x : \x\ < re/2, (re, x) = 1} 

as a set of unique representatives of (Z/reZ)*. We also write N + = {x £ N : x > 0}, 
N~ = {x G N : x < 0}, Nq = N U {0}, and similarly for Nq , Nq . We assume operations 
on residues are computed modulo n with a result in N, so that, e.g., ab~ l € N + means that 
a = bx (re) for some x G N + . 

Lemma 4.3 There is a poly-time function f(n,a,x) such that for any odd re > 1 and an 
integer a coprime to re, the function f n ,a(x) = f(n,a,x) defines an involution on 

{x € N~ : ax G N~} U iV + 

whose fixpoints are of the form x^ 1 , where 

(i) x G N + \ {1} and x 2 = 1, or 

(ii) x G N~ and x 2 = a. 



15 



Proof: We define f^ a on {x £ N~ : ax £ N~} U N + by 



fLa(x) 



a 1 x 1 



—x 



ax, x 1 G N , 

(x, ax G iV+ A x" 1 GJV")V (x, ax G iV" A x" 1 G AT+). 



It is easy to see that the three conditions define a partition of {x G iV~ : ax G iV~} U A r+ , 
and f' n a is an involution on each part. The fixpoints of f' n a in the first two parts have the 
forms (i) (without the restriction x 7^ 1) and (ii), respectively, and there are no fixpoints in 
the third part. Finally, we put 



fn,a{x) 



1 



„ fn,a( x ) 



X = 0, 
X = 1, 

x ^ 0,1. 



□ 



Definition 4.4 For any constant a, let FAcRoOT a denote the following special case of 
FacRoot: given an odd positive n such that (a\n) = 1, find either a nontrivial divisor 
of n, or a square root of a modulo n. 



Lemma 4.5 FacRoot_i and FacRoot 2 are in PPA. 
Proof: Given n = ±1 (8), observe that 

{x G N~ : 2x G N~} = N n [-(n - 2 ± l)/4, -1]. 
We define an involution r on [— (n — 2 ± l)/4, (n — l)/2] by 




x x / 0, (x, n) / 1, 

fn,2(x) otherwise. 



The domain of r is an interval of size (3n ± l)/4, which is odd, hence we can use Lonely to 
find a fixpoint x of r. Using Lemma 4.3, we see that either x _1 is a square root of 2, or it is 
a square root of 1 distinct from ±1, or (x, n) ^ 1. In the last two cases, we can factorize n. 
For FacRoot_i, we define similarly an involution on [0, (n — l)/2] using / n ,-i- □ 

Using a similar construction, it is possible to show FAcRoOT a G PPA for every constant a. 
We skip the details, as we will not directly need this fact, and Theorem 3.4 is more general. 
However, notice that FacRoot_i G PPA restates Buresh-Oppenheim's original result, and 
any constant a yields a similar special case of factoring: 

Example 4.6 The following search problems are in PPA. 

Given n = ±1 (8) such that 2 is a quadratic nonresidue modulo n (i.e., n has a divisor 
p = ±3 (8)), find a nontrivial divisor of n. 

Given n = 1 (3) such that —3 is a quadratic nonresidue modulo n (i.e., n has a divisor 
p = 2 (3)), find a nontrivial divisor of n. 
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Lemma 4.7 FacRootMul (and thus WeakFacRoot) is in PPA. 
Proof: Let n > 1 be odd, and a, b coprime to n. Define 



(0,-x) x£N+, 

(1,—x) x, ax, b~ l x G N~, 

(2, -x) x, ax G N~,b~ l x G N + . 



Then g is a poly-time bijection from {x € N : ax € N } U iV^ onto 

A = ({0} x No) U ({1} x {x : x,ax,6 _1 x G iV+}) 

U ({2} x {x G N + : ax G N + , b~ x x G N~}) 



with a poly-time inverse. Similarly, 

/i(x) = 



(0,x) x G iV+, 

(l,x) x = or x, b~ 1 x, ax G N~ , 
(2, x) x, 6 _1 x G iV~ , ax G iV + 



is a bijection from {xGiV :i 'i£iV }U Nq onto 

B = ({0} x N + ) U ({1} x ({0} U {x : x, ax, 6 _1 x G iV - })) 

U ({2} x {x G N- : ax G iV + , b~ l x G iV - }), 

x i->- (2, bx) is a bijection from {x G N~ : abx G N~} U onto 

C = {2} x ({0} U {x : ax G AT V 6 _1 x G A^+j), 

and (l,x) i->- (1, — x) is a fixpoint-free involution on 

D = {1} x {x G N : x, ax, 6 _1 x do not have the same sign}. 

We can thus define a poly-time involution r on {0, 1, 2} x [— (n — l)/2, (n — l)/2] by 



r(e, x) = < 



'g{fn, a (g 1 ( e > x ))) ( e , X ) e A 

M/n,6-i(^ _1 (e^))) (e,x)eB, 

(2,6/ n>af) (6- 1 x)) (e,x)GC, 

(1,-x) (e,x)eD, 

k (e, x) x ^ 0, (x, n) > 1. 



Since 3n is odd, we can use Lonely to find a fixpoint (e, x) of r. We cannot have (e, x) G D. 
If x / 0, (x,n) > 1, we can factor n. If (e,x) G A, then y := g^ 1 (e, x) is a fixpoint of /„ j0 . 
Thus, either y 2 = 1, y / ±1, in which case we can factor n, or y _1 is a square root of a. 
Similarly, if (e, x) G B U C, we can factor n, or compute a square root of 6 or ab. □ 
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Lemma 4.7 is enough to prove our main result, Theorem 3.7. However, we will proceed 
with the proof of Theorem 3.4, as we are interested in the possibility of unconditional de- 
randomization of the reduction of factoring to PPA, and placing FacRoot in PPA can be 
seen as a partial step towards that goal. Moreover, randomized versions of Theorems 3.12 
and 3.16 would not be interesting. 

Lemma 4.8 The following problems are in PPA. 

(i) FacRootOdd: given an odd n > 0, a sequence (cij : i < k) of integers coprime to n 
such that k is odd, and a square root x of \\ i<k a« modulo n, find a nontrivial divisor 
of n, or a square root of some cij modulo n. 

(ii) FacRootEven: given an odd n > 0, and a sequence (ai : i < k) of integers coprime 
to n such that k is even, find a nontrivial divisor of n, or a square root of Yl i<k ai or 
of some ai modulo n. 

Proof: (i): Put I = {0, . . . , k — 1} and y = 1, and repeat the following steps. If I = {i}, 
return xy -1 as a square root of Oj. If |7| > 1, pick i,j G I, i ^ j, and call FacRootMul 
on n, ai, ctj. If it gives us a nontrivial divisor of n, or a square root of or aj, we return it. 
Otherwise, it provides a square root z of aiOj. We multiply y by z, remove i,j from /, and 
repeat the loop. 

(ii): Put x = a k = Yl i<k <H, and call FacRootOdd. □ 

Definition 4.9 QuadRec is the following problem: given odd coprime n, m > such that 
n = 1 (4), and a square root a of n modulo m, find a nontrivial divisor of n or m, or a square 
root of m modulo n. 

Notice that QuadRec is a special case of FacRoot: the input data ensure (n|m) = 1, 
hence (m|n) = 1 by quadratic reciprocity. 

Lemma 4.10 QuadRec G PPA. 

Proof: We may assume n, m > 1 and a £ M~ , so that b = a~ l G M is a fixpoint of f m ,n- 
Put n 2 = (n + l)/2, m 2 = (m + l)/2. The function 



is a poly-time bijection with poly-time inverse from {x G N : mx G N } U onto 




A = (iV + x {m 2 }) U G iV + x [0,m 2 ) : mx - ny G iV + }, 



where mx — ny is no£ evaluated modulo n, but literally. Likewise, 




y e M+, 

y, ny G M 
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r(x,y) 



is a bijection from {y G M~ : ny G M~} U onto 

£ = ({n 2 } x M + ) U {(x,y) G [0,n 2 ) x M Q + : mx - ny e M~}. 
The function /e(x, y) = (n 2 — 1 — x, m 2 — 1 — y) is a poly-time involution with no fixpoints on 

C = {(x, y) G [0, n 2 ) x [0, m 2 ) : rra — ny > n 2 or mx — ny < — ra 2 }. 
We define a poly-time involution r on ([0, ro 2 ] x [0, m 2 ]) \ {(ri2>"i2)} by 

g{fn, m {g~ l {x,y))) (x,y) g A, 

(0,0) (x,y) = h(b), 

/i(6) x = y = 0, 

(x,y) G C, 

(x, y) otherwise. 

Notice that if x G [0, n 2 ) and y G [0, rn 2 ) are such that mx — ny = 0, then x = y = 0, as 
(n, m) = 1. It follows that the last clause in the definition of r applies to elements of the set 

D = (([l,n 2 ) \ N+) x {m 2 }) U ({n 2 } x ([l,m 2 ) \ M+)) 

U {(x,y) G [0,n 2 ) x [0,m 2 ) : mx - ny G ([l,n 2 ) \ N + ) U ((-m 2 ,-l] \ M~ ) } . 

The domain of r has odd size (n 2 + l)(m 2 + 1) — 1, hence using Lonely, we can find a fixpoint 
(x, y) of r. If (x, y) G A, it gives us a square root of m modulo n, or a square root of 1 distinct 
from ±1, in which case we can factorize n. If (x, y) G B, we get a square root of n modulo m 
distinct from ±a, or a square root of 1 distinct from ±1, and both cases give a factor of m. 
If (x,y) G D, (n, x) or (m,y) is a nontrivial divisor of n or m, respectively. □ 

We are ready now to prove Theorem 3.4. Assume we are given an odd n > 0, and an 
integer a such that (a\n) = 1. We first compute the sequences (ctj : i < t), (ni : i < t) of values 
of a and n during the execution of the algorithm in Figure 1. That is, we put (oo, no) = (a, n), 
and then we define (aj,nj) by induction on i as follows. If |aj| > rij/2, we let nj + i = nj, and 
aj + i = di (ni) such that |aj + i| < rij/2. If < |aj| < nj/2, we define 



(a i+1 ,n i+1 ) = < 



(-ai,ni) en < 0, 
(ai/2,nj) aj > is even, 
(rij, a«) aj > is odd. 



We stop when we reach at = 0. Since (a\n) = 1, we have (aj, n^) = 1 for each i, in particular 
n t = 1. Notice that t = 0(\\n\\). Write R = {i < t : en is odd, < dj < rij/2}. 

In the main part of the algorithm, we maintain a double sequence (riij : i < t,j < Sj) of 
integers rijj > 1 such that rij = Ilj<s n «,j> an( i n «,j — n «,j' f° r 3 < j'- Moreover, we maintain 
sequences (ujj : i < k,j < Si), (fjj,fc, w%j,k '■ i £ < Si,k < Sj+i), where some of the 
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, Vijfi, and Wij t k m ay be undefined. Where they are defined, we have ufj = ctj (nij), 
k = n i+ljk (nij), and w\^ k = n iyj (n i+1>k ), respectively. 

We initialize the sequences with Sj = 1, n^o = n % for n>i > 1, s« = for m = 1, and all Uij, 
k, and undefined. We repeat in arbitrary order the following updating steps until 

of them is applicable any more. 

• Assume rij = n^+i, riij ^ n^+i^, and d = (njj,nj+ifc) > 1. If d 7^ n^j, we increase Sj, 
replace n^j with d and riij/d, and undefine all associated Ujj, Uj-i^j, and lUj-i^j. If 
d 7^ nj + i 5 fc, we deal with it similarly. Notice that we cannot have riij = d = n,i + \^- 

Moreover, if this step is not applicable, then m = nj+i implies that Sj = s«+i and 
(^ij : J < s-i) and (rii + i : k '■ k < Si+i) are permutations of each other, hence in view of 
their monotonicity, we have riij = nj+ij for each j. 

• For i < t such that (n^- : j < Sj) = (rij+i^ : < Sj+i) (which implies rij = nj+i): 

— If Oj = aj+i (nj), and exactly one of Ujj, Uj+ij is defined, we define the other to 
the same value. 

— If en = aaj+i, a G { — 1,2}, (a|njj) = —1, and neither u^j nor Ui+i j is defined, 
we call FAcRoOTMuL(njj, aj, aj + i). If it returns a nontrivial divisor of nij, we 
expand the sequence as in the first step. Otherwise, it gives a square root of 
ctj or a,i + \ modulo nij, which we store as Ujj or Ui + \j, respectively. 

— If a,i = aaj+i, a € { — 1, 2}, (a|njj) = 1, and exactly one of u^j or Uj+ij is defined, 
we call FAcRoOT a (njj). If it returns a nontrivial divisor of nij, we expand the 
riij sequence. Otherwise, it gives f3 2 = a (nij), and we define Uij := (3ui + \j or 
u i+ ij := fi^Uij, respectively. 

• For i G R: 

— If Uij is defined and \I\ is odd, where I = {k < Si + i : Vij t k is undefined}, we put 
x = u i,j Tlk0 v 7jk> an< ^ can FacRootOdd on nij, (n i+lt k : k G I),x. If it returns 
a factor of nij, we expand the nij sequence. Otherwise, it returns a square root 
of some n i+ i^, k G I, modulo n^j, which we store as Vj^fc. 

— If Uij is undefined and |/| is even, where I is as above, we call FacRootEven 
on nij, (nj + i 5 fc : k G I). If it returns a factor of nij, we expand the n^j sequence. 
If it returns a square root of some n i+ i^, k £ I, modulo nij, we store it as Vij^- 
Otherwise, it returns a square root x of Ylkei n i+i,ki ano ^ then we define Uij = 

x I\k^I V i,j,k- 

— If Ui + i t k is defined and |/| is odd, or iij+i^ is undefined and |/| is even, where 
/ = {j < Si : Wij : k is undefined}, we proceed in a similar way to expand the rij+i^ 
sequence or to define some Wij^ or Uj+i^. 

— If nij = —1 (4), (n i+ i t k\nij) = 1, and Ujj^ is undefined, we call WeakFacRoot 
on nij, nj + i — 1. If it returns a factor of nj j, we expand the nij sequence, 
otherwise it returns a square root of n i+ i^ modulo nij, which we store as Vij^- 
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— If ni+i t k = — 1 (4), (nij\ni+i t k) = 1, and is undefined, we proceed similarly. 

— If Hi j = 1 (4), Wij t k is denned, and Vij yk is undefined, we call QuadRec on 
riij, nj+i^, Wi,j,k- If it returns a factor of rijj or n i+ i jk , we expand the rijj or n i+ i jk 
sequence (respectively), otherwise it returns a square root of rii + i jk modulo njj, 
which we store as Vi j k- 

— If nj + i 5 fc = 1 (4), Vij,fc is defined, and Wij t k is undefined, we proceed similarly 

In each step, either ^2 i<t s« < 0(||n|| 2 ) strictly increases, or it stays the same, and we define 
some previously undefined Uij, Vij :k , or Wij^. It follows that the update procedure stops 
after llnll ^ 1 ) steps. 



Let us write [aj|n. 



1,3 \ 



1 if Uij is defined, and [aj|njj] = — 1 otherwise. We define 
[n i+ltk \n itj ] and [n itj \n i+ltk ] similarly using v itjtk and w itjik , respectively. Notice that [ai\n itj ] = 
1 implies {ai\n it j) = 1, and likewise for [n i+ i tk \nij], [nij\n i+lik ]. 

Lemma 4.11 When the update procedure stops, the following properties hold. 

(i) If rii = n i+ i, then = s i+1 and n itj = n i+ ij. 

(ii) If i%i = n i+ i and ai = a i+1 (rii), then [ai\n itj ] = [a i+1 \n i+1 j]. 
(Hi) If rii = nj+i and ai = acjj+i, a G {—1,2}, then 





= (-) 




_ n i+l,j_ 







(iv) IfieR, then 



L n i,J.\ 



n 

fe<S i+ l 



n i+l,k 



n 



i,3 J 



_™i+l,fc. 



n 



n 



h3 



(v) If i £ R and riij = n i+ i jk = —1 (4), then 

rii+i,k 



ni+l,k. 

(vi) If i G R and riij = 1 (4) or n i+ i jk = 1 (4), then 

n i+ i fcl T n. 



'■J 



Proof: (i), (ii), and (iv) are clear. 

(iii): The statement is clear if (a|njj) = 1. If (a|njj) = —1, the inapplicability of update 
steps implies that [ai|nij] = 1 or [aj+i|nj+ij] = 1. We cannot have both, since this would 
imply (ai\riij) = (a i+ i\n itj ) = 1, hence (a\n iyj ) = 1. 

(v): By quadratic reciprocity, exactly one of (nj+i^njj) = 1, (nij|nj+i,fc) = 1 holds. The 
inapplicability of update steps then implies that [rtj+i^lnjj] = 1 or [nj_j|nj+ifc] = 1. We 
cannot have both, as this would mean (nj+i^lnjj) = (riij\ni + i jk ) = 1. 
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(vi): The statement is clear if rijj = rij+i^ = 1 (4). Assume riij = 1 (4) and nj+i^ = — 1 
(4), the other case is symmetric. By the inapplicability of update steps, [njj|nj + i = 1 
implies [nj+i fc|nj j] = 1. On the other hand, if fc|nj j] = 1, then (nj+i fc|nj 3 -) = 1, hence 
= 1 by quadratic reciprocity, thus [nij|ni+i,fc] = 1 by the inapplicability of update 

steps. 

Using Lemma 4.11, we can show 



n 

j<Si 



0,.; 



n 



*,3J 



by reverse induction on i. The induction step for i G R goes as follows: 



n 

3< s i 



n. 



3<Si 
k<s i+ i 



n 

= n 

3<S; 

= (-!)(* 



ni+i,k 



n 



i,3 J 



n 



1,3 



Jli+l,k_ 



(_l)(«i,j- 1 )("i+l,fc- 1 )/ 4 



, t -l)(n i+1 -l)/4 -Q 
k<s i+ i 

/_j\(a i+ i-l)(n i+ i-l)/4 



□ 



In particular, either sq > 1, in which case no,o is a nontrivial divisor of n, or so = 1 
and [ao|no,o] = 1> where ao = a and n 0) o = n, in which case Uq = a (n). This completes the 
proof of Theorem 3.4. 



5 Conclusion 

We have shown that integer factoring has randomized reductions to the classes PPA and PPP 
(more precisely, PWPP). We also provided evidence that there in fact exist deterministic re- 
ductions, namely this is true under the widely believed assumption of the generalized Riemann 
hypothesis for quadratic Dirichlet characters. 

Problem 5.1 Is Factoring in PPA, PPP, or FP PPP ? 

Some of our other results can be seen as partial indication that such an unconditional deter- 
ministic reduction might be possible at least in the case of PPA. In particular, the fact that 
FacRoot G PPA bypasses the randomized reduction of WeakFacRoot to FacRoot, and 
we have shown that PPA contains the search problems to find square roots modulo arbitrary 
integers (which is probabilistically Turing-equivalent to factoring) and to find quadratic non- 
residues (which is easily solvable in randomized polynomial time). Nevertheless, it remains 
open whether Problem 5.1 can be resolved unconditionally. 



22 



Another interesting question is whether the methods used for the reduction of factoring 
to PPA can be pushed down to the class PPAD C PPA. Note that many natural problems 
are known to be complete for PPAD, such as computating Nash equilibria [9]. 

Problem 5.2 Does Factoring have some form of reduction to PPAD ? 
Acknowledgements 
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